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Abstract 

In this paper, a new variant of ElGamal signature scheme is pre- 
sented and its security analyzed. We also give, for its theoretical inter- 



est, a general form of the signature equation. 
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1 Introduction 



Since the invention of the public key cryptography in the late 1970s [2, 13, 12], 
several new subjects related to the data security as identification, authentica- 
tion, zero-knowledge proof and secret sharing were explored. But among all 
these issues, and perhaps the most important, is how to build secure digital 
signature systems. During more than three decades, the topic, probably due to 
its fundamental and practical role in electronic funds transfer, was intensively 
investigated [10, 15, 14, 4, 1, 11, 9]. 

There is only one principle on which rest the digital signature algorithms. To 
sign a message m, Alice with the help of her private key, must answer a ques- 
tion asked by Bob, the verifier. The question is naturally a function of m. 
Nobody other than Alice is able to forge her signature and give the right an- 
swer, even the asker himself. 

In most digital signature schemes, the considered question is a difficult math- 
ematical equation depending of m as a parameter. Only Alice, because she 
possesses a private key, is able to solve it. In this protocol, we are not necessary 
concerned by the transmitted data security. Indeed, Bob and Alice can pub- 
lish respectively the equation and the solution in two protected and separated 
personal servers. 
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In 1985, ElGamal [3], inspired by the Diffie-Hellman ingenious ideas on new 
directions in cryptography [2] , was one of the firsts to propose a practical signa- 
ture scheme. Used properly, this signature system has never been broken. He 
built it on a simple equation with two unknown variables. The hardness of this 
equation relies on the discrete logarithm problem [7, p. 103]. In general, from a 
public key cryptosystem, one can derive a signature scheme. Curiously, in his 
paper [3], ElGamal did not exploit this possibility and it is still unclear how 
he found his signature equation. This fact has encouraged many researchers 
to look for equations having properties similar to those of ElGamal. See, for 
instance, [14, 4, 5]. 

Some practical signature protocols as Schnorr method [14] and the digital sig- 
nature algorithm DSA [8] are directly derived from ElGamal scheme. 
Permanently, ElGamal signature scheme is facing attacks more and more so- 
phisticated. If the system is completely broken, alternative protocols, previ- 
ously designed, prepared and tested, would be useful. In this work we present 
a new variant of the ElGamal signature method and analyze its security. Fur- 
thermore, we give, just for its theoretical interest, a general form of our signa- 
ture equation. 

The paper is organized as follows. In section 2, we review the basic ElGamal 
signature algorithm and recall the main known attacks. Our new variant and a 
theoretical generalization are presented in section 3. We conclude in section 4. 
In the sequel, we will adopt ElGamal paper notations [3]. Z, N are respectively 
the sets of integers and non-negative integers. For every positive integer n, we 
denote by Z n the finite ring of modular integers and by Z* the multiplicative 
group of its invertible elements. Let a, b, c be three integers. The great com- 
mon divisor of a and b is denoted by gcd(a, b). We write a = b [c] if c divides 
the difference a — b, and a = b mod c if a is the remainder in the division of b 
by c. 

We start by describing the original ElGamal signature scheme. 

2 ElGamal Original Signature Scheme 

We recall in this section the basic ElGamal protocol in three steps, followed 
by the most known attacks. 

2.1. ElGamal Algorithm 

1. Alice begins by choosing three numbers : 

- p, a large prime integer. 

- a, a primitive root [7, p. 69] of the finite multiplicative group Z*. 

- x, a random element in {1, 2, ... ,p — 1}. 

She computes y = a x mod p. We consider then that : (p,a,y) is Alice public 
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key and x her private key. 

2. Assume that Alice wants to sign the message m < p. She must solve the 
congruence 

a m = y r r s [p] (1) 
where r and s are two unknown variables. 

Alice fixes arbitrary r to be r = a k mod p, where k is chosen randomly and 
invertible modulo p — 1. She has exactly ip(p — 1) possibilities for k, where <p 
est the phi-Euler function [7, p. 65]. Equation (1) is then equivalent to : 

m = x r + k s [p — 1] (2) 

As Alice possesses the secret key x, and as the integer k is invertible modulo 

777 — XT 

p — 1, she computes the second unknown variable s by : s = [p — 1] 

K 

3. Bob can verify the signature by checking that congruence (1) is valid. 

Keys generation problem must be taken into account. There exist essentially 
probabilistic algorithms for generating prime integers. In a recent previous 
work [6], we obtained experimental results on the subject. 
Now, we recall the main known attacks. 

2.2. Main attacks 

The first attack was mentioned by ElGamal himself [3]. It is not recommended 
to sign two different messages with the same secret exponent. As the complete 
justification of this attack does not figure in the ElGamal paper, we reproduce 
here the proof from [16, p. 291] which seems to us, less restrictive than that 
in [7, p. 455]. 

Proposition 2.1. If Alice signs more than one message with the same secret 
exponent, then her system can be totally broken. 

Proof. Let (mi, r, si) and (m 2 , r, S2) be the signatures of the two messages mi 
and m2 with the same secret exponent k. Due to relation (2), we retrieve Alice 
secret key x if we find the value of the parameter k provided that r is invertible 
modulo p — 1. 

We have m\ = x r + k si \p — 1] and m 2 = x r + k s 2 \p — 1], so : 

mi-m 2 = k (si - s 2 ) [p - 1] (3) 

If we put gcd(si — s 2 ,p — 1) = d, there exist two integers S and P such that 
Si — s 2 = d S, p — 1 = dP and gcd(S, P) = 1. Thus relation (3) becomes : 
m x -m 2 = k{ Sl -s 2 ) + K{p-l) = kdS+KdP, K e Z. With M = kS+KP, 
we obtain M = k S [P] . As S is invertible modulo P, we have 



k = MS^ + KP 



(4) 
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Since k < p — 1 and p — 1 = c?P, we deduce that K < d. By equality (4), we 
can test every value of K and check if r = a h [p\. We find K if d is not too 
large. 

□ 

In 1996, Bleichenbacher [1] has discovered an important fact : when some 
parameters are smooth [16, p. 197], it is possible to forge ElGamal signature 
without solving the discrete logarithm problem. We present here a slightly 
modified version of his result. 

Proposition 2.2. Let (p,a,y) be Alice public key. Suppose that (3 < p 
is a positive integer for which one can efficiently compute t G N such that 

p - 1 

If — 77 7a i s smooth, then an Alice adversary will be able to forge her 

gcd{p-l,p) 

signature for any given message M. 

Proof. Let D = gcd(p - 1, /3) and f3 = A D, A G N*. We denote by H the 
subgroup of Z* generated by a D mod p. Since y D = (a x ) D = (a D ) x [p], we 
have y D G H. From a well known result, as the order (p — 1)/D of H is smooth, 
the discrete logarithm problem is computationally feasible : one can efficiently 
find z eN such that y D = (a D ) z ° [p\. 

Let M a message to be signed and m = h(M) mod p where h is a public 
hash function. Alice adversary sets r = (3. ElGamal signature equation (1) 
becomes : 

Hence s = t {m — f3 z ) \p — 1], and then the couple (r, s) is a valid signature 
of the message M, which achieves the proof. 

Observe that it is not so surprising to choose r = (3 or r = (3 l mod p, i G N, 
since (3 l = a [p] implies that (3 is an other generator of Z*. 

□ 



Next section presents our main contribution. 



3 New Variant and Theoretical Generalization 



In this section, we suggest a new variant of ElGamal signature scheme based 
on an equation with three unknown variables. The method does not need the 
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computation of the secret exponent inverse and so avoids the use of the ex- 
tended Euclidean algorithm. Technical report [4] , although it collected several 
signature equations, did not study the case we propose here. 

3.1. Our protocol 

We suppose first that h is a public secure hash function. We can take h equal 
to the secure hash algorithm SHAl [7, Chap. 9] and [16, Chap. 5]. 

1. Alice begins by choosing her public key (p,a,y), where p is a large prime 
integer, q is a primitive element of the finite multiplicative group Z* and 
y = a x mod p. Element x, which is a random integer in {1,2,3, ... ,p — 1}, is 
Alice private key. 

2. Assume that Alice wants to sign the message M < p. She must solve the 
congruence 

a 1 = y r r s s m [p] (5) 

where r, s and t are three unknown variables and m = h(M) mod p. 

Alice fixes arbitrary r to be r = a k mod p, and s to be s = a 1 mod p, where 

k, I are chosen randomly in {1, 2, ... ,p — 1}. 

Equation (5) is then equivalent to : 

t = r x + ks + I m [p — 1] . (6) 

As Alice detains the secret key x and knows the values of r, s,k,l,m, she is 
able to compute the third unknown variable t. 

3. Bob can verify the signature by checking that congruence (5) holds. 

Our scheme has the advantage that it does not need the use of the extended 
Euclidean algorithm for computing k~ l modulo p — 1. May be this can be an 
answer to problems evoked in [9, subsection 1.3]. 

To illustrate the technique, we give the following small example. 

Example 3.1. Let (p,a,y) be Alice public key where : p = 509, a = 2 and 
y = 482. We emphasize that we are not sure if using a short value of a does 
not weaken the system. The private key is x = 281. Suppose that Alice wants 
to produce a signature for the message M for which m = h(M) = 432 [508] 
with the two random exponents k = 208 and I = 386. She computes r = a k = 
2 208 = 332 [p], s = a l = 2 386 = 39 [p] and t = r x + k s + Im = 440 [p - 1]. 
Bob or anyone can verify the relation a 1 = y r r s s m [p\. Indeed, we find that 
a 1 = 436 [p] and y r r s s m = 436 [p] . Notice here that k and I are even integers 
unlike in ElGamal protocol where the exponent k is always odd since it must 
be relatively prime with p — 1 . 
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3.2. Security analysis 

Suppose that Oscar is an Alice adversary. Let us discuss some possible and 
realistic attacks. 

Attack 1 : Knowing all signature parameters for a particular message M, 
Oscar tries to find Alice secret key x. 

Equation (5) is equivalent to o 1 = a xr r s s m [p], so a rx = a 1 r~ s s~ m [p\. 
Therefore, Oscar is confronted to the hard discrete logarithm problem. 
If Oscar prefers to work with relation (6), he needs to know k and I. Their 
computation conducts to the discrete logarithm problem. 

Attack 2 : Oscar tries to forge Alice signature for a message M, by first, 
fixing arbitrary two unknown variables and looking for the third parameter. 

(1) Suppose for example that Oscar has fixed r, s, and tries to solve equation 
(5) in the variable t. But here again, he will be confronted to the discrete 
logarithm problem. 

(2) Assume that Oscar has fixed r and t. We have from relation (5): r s s m = 
a 1 y~ r [p]; and there is no known way to solve this equation. 

(3) Assume now that Oscar has fixed s and t. We have from relation (5) : 
y r r s = a 1 s~ m [p]; and this equation is similar to the last case, so it is in- 
tractable. 

Attack 3 : Let us admit that Oscar has collected n valid signatures for 
messages Mj, i G {1, 2, 3, . . . , n} and n G N. He will obtain a system of n 
modular equations : 



Where Vi G {1, 2, 3, ... , n}, r\ = a ki [p], S; = a li [p] et m; = h(Mi) [p] 
Since system (S) contains 2n+l unknown variables x, r iy Sj, i G {1, 2,3,..., n}, 
Oscar can find several valid solutions. However, as x is Alice secret key, it has 
a unique possibility and therefore Oscar will never be sure what value of x is 
the correct one. Consequently, this attack is to be rejected. 
Next result is similar to that exists in ElGamal scheme. 

Proposition 3.2. // no hash function is used, then Oscar can forge exis- 
tentially Alice signature. 

Proof. Assume that Alice products the parameters (r, s, t) gnature for 

the message M. So a f = y r r s s m [p]. Let k,k',l,l' G N be four arbitrary 





ti = xri + ki Si + l\ mi [p — 1] 
t 2 = x r 2 + k 2 s 2 + l 2 m 2 [p - 1] 
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integers with gcd(l',p — l) = 1. If Oscar chooses r = a k y k ' \p\ and s = a 1 y 1 ' [p], 
he would obtain : 

a* = y'(a fc 'i/*'*)(a ,m V , ' m ) [p]. (7) 



Relation (7) holds if 



t-ks-lm = [p-1] (7.1) 
t-A;'s-rm = 0[p-l] (7.2) 



Oscar computes m from equality (7.2) : m = — ^— — - \p — 1]; and from (7.1) 

^ _|_ j^' g\ 

he has t = k s H \p — 1]. Thus (r, st) is a valid signature for the 

message m. 

□ 



Remark 3.3. Alice can sign two messages with the same couple of secret 
exponents. Indeed, let (r, s,ti) and (r, s,t 2 ) be the signatures of the two dif- 
ferent messages Mi and M 2 associated to the secret exponents (k,l). We have 

( ti = xr + k s + I mi [p — 1] 

[ t 2 = xr + ks + l m 2 [p — 1] 

where m x = h(Mi) [p — 1] et m 2 = h(M 2 ) [p — 1]. 

W^e can follow the method used in the proof of Proposition 1 and find the value 
of I, but it seems that it is not an easy task to retrieve secret parameters k 
and x. 



3.3. Complexity of our method : 

As in [5], let T exp , T mu i t , T h , be respectively the time to perform a modular 
exponentiation, a modular multiplication and hash function computation of a 
message M. We ignore the time required for modular additions, substractions, 
comparisons and make the conversion T exp = 240 T muU . 

The signer Alice needs to perform two modular exponentiations, three modular 
multiplications and one hash function computation. So the global required 
time is : Ti = 2 T exp + 3 T muit + T h = 483 T muU + T h . 

The verifier Bob needs to perform four modular exponentiations, two modular 
multiplications and one hash function computation. So the global required 
time is : T 2 = 4 T exp + 2 T rnut + T h = 962 T rnult + T h . 

The cost of communication, without M, is 6 \p\, since to sign, Alice transmits 
(p, a, y) and (r, s, t). \p\ denotes the bit-length of the integer p. 
Observe that the complexity of our method is not too high relatively to that 
of ElGamal scheme or to that in [5] . 

3.4. Theoretical generalization 

Let h be a public secure hash function. 
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1. Alice begins by choosing her public key (p,a,y), where p is a large prime 
integer, q is a primitive element of the finite multiplicative group Z* and 
y = a x , a; is a random integer in {1, 2, 3, . . . ,p — 1}. a; is the Alice private key. 

2. Assume that Alice wants to sign the message m < p. She must solve the 
congruence 

a t = yn r? r? r ,„ i ^ [p] (g) 
where ri, r 2 , . . . , r n , t are n + 1 unknown variables. 

Alice fixes arbitrary r\ to be r\ = a kl , r 2 to be r 2 = a k2 ,..., and r„ to be 
r n = a kn , where k±, k 2 , ■ ■ ■ , k n are chosen randomly. 
Equation (8) is then equivalent to : 

t = xr l + k 1 r 2 + ... + k n -ir n + k n m [p - 1]. (9) 

As Alice detains the secret key x and knows the values r i? kj, m, i e {1, 2, . . . , n}, 
she is able to compute the (n + l)th unknown variable t. 

3. Bob can check that verification condition (8) is valid. 

Remark 3.4. Let it = (x,ki,k 2 , ■ ■ ■ ,k n ) be Alice secret keys vector and 
it = (r!,r 2 , . . . ,r n ,m) the signature parameters vector. Iflt.lt denotes the 
scalar product, then the last signature parameter t can be obtained from the 
modular equation t = u.v [p — 1], which is an immediate consequence of 
relation (9). 

4 Conclusion 

In this work, we described a new variant of ElGamal signature scheme and 
analyzed its security. Our method relies on an ElGamal similar equation with 
three unknown variables and it avoids the use of the extended Euclidean algo- 
rithm. We also gave a generalization for its theoretical interest. 
For the future, one may try to see how to improve our new variant. One idea is 
to replace the modular group Z* by a subgroup whose order is a prime divisor 
of p — 1 or by other remarkable structures as the elliptic curves group. 
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